Cyber Threat Actor: Nathan
| Actor Type | Location | Known Incidents |
Activist
|
United Kingdom
|
1 incident |
|---|
Profile
Nathan is a threat actor known bythe alias Nathan and has been publicly associated with the United Kingdom. The actor came to attention in October 2019 after gaining unauthorized access to the mailing list of the retailer TOMS Shoes. Using this access, Nathan sent an email to subscribers that urged recipients to step away from digital screens and engage with the physical world. The message also included a direct critique of hackers who engage in malicious activities for profit or personal gain, urging them to cease such behavior and to act ethically toward others. Nathan expressed regret to TOMS Shoes for the intrusion, apologizing in the same communication and asking the company to hold no hard feelings. The retailer confirmed the breach, noting unauthorized activity across its email and social media channels and advising customers to avoid interacting with the suspicious content.
The targeting evidenced in this incident involved a retail sector organization, specifically TOMS Shoes, whose customer communications were compromised. Nathan’s stated objective, as conveyed in the email, was to encourage recipients to log off from digital devices and to promote a broader message about responsible online behavior. The actor also explicitly criticized other hackers who sell private information or act as cyberbullies, framing their own actions as a moral appeal rather than a pursuit of financial gain. No indication of espionage, disruption for strategic advantage, or monetary extortion was present in the communicated content.
Regarding tactics, techniques, and procedures, Nathan disclosed that the method used to access the TOMS Shoes mailing list was described as easy, though no specific technical details, malware families, or tooling were provided. The incident involved unauthorized access to email and social media platforms, suggesting a compromise of credentials or a similar initial vector, but no further specifics about payloads, exploitation techniques, or persistence mechanisms were reported. Consequently, no malware families or distinctive tooling styles can be attributed to Nathan based on the available information.
Attribution to any state sponsor, criminal consortium, or larger hacking group has not been established in public sources, and Nathan operates under a singular alias without known affiliations. The TOMS Shoes mailing list compromise remains the sole publicly reported operation linked to this actor, representing a notable case where the primary aim appeared to be delivering a social message rather than achieving traditional cybercrime objectives. This incident highlights how actors may use access to communication channels to convey ideological statements while acknowledging the impact of their actions on the targeted organization.
